Skip to content

feat(prover): add native Rust policy prover with Z3 solver#741

Open
zredlined wants to merge 5 commits intomainfrom
feat/699-policy-prover-rust/zredlined
Open

feat(prover): add native Rust policy prover with Z3 solver#741
zredlined wants to merge 5 commits intomainfrom
feat/699-policy-prover-rust/zredlined

Conversation

@zredlined
Copy link
Copy Markdown
Collaborator

@zredlined zredlined commented Apr 2, 2026

Summary

Native Rust implementation of the OpenShell Policy Prover (OPP) using Z3 SMT solving. Answers two questions about any sandbox policy:

  1. Can data leave this sandbox? — finds exfiltration paths through uninspected (L4-only) endpoints and wire protocol bypasses
  2. Can the agent write despite read-only intent? — finds write operations that bypass read-only policy through binary capabilities and credential scopes

openshell policy prove is now a native CLI command — no Python, no subprocess, no PYTHONPATH.

Supersedes #703 (Python prototype). Closes #699.

Related Issue

Closes #699

Changes

New crate: crates/openshell-prover/

  • model.rs — Z3 constraint model encoding policy rules, binary capabilities, and credential scopes as boolean satisfiability constraints
  • queries.rs — two verification queries (exfiltration, write bypass)
  • policy.rs — policy YAML parser with intent detection, L7 enforcement helpers, workdir modeling
  • registry.rs — binary capability registry (git, curl, node, claude, etc.) loaded from YAML
  • credentials.rs — credential and API capability loading
  • accepted_risks.rs — risk acceptance matching by query + host
  • report.rs — terminal and compact (CI) output
  • finding.rs — finding types and risk levels (HIGH, CRITICAL only)
  • lib.rs — public prove() API + 7 tests

Registry data (crates/openshell-prover/registry/):

  • 9 binary capability descriptors, 1 API descriptor (GitHub)

CLI integration (crates/openshell-cli/src/main.rs):

  • openshell policy prove calls openshell_prover::prove() directly

Dependencies (Cargo.toml):

  • z3 = { version = "0.19", features = ["bundled"] } — self-contained Z3 build

Testing

  • cargo build -p openshell-prover — compiles with Z3 bundled
  • cargo test -p openshell-prover — 7/7 tests pass
  • cargo build -p openshell-cli — CLI compiles
  • End-to-end: openshell policy prove --compact detects exfil + write bypass on test fixture

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • SPDX license headers on all new files

@zredlined zredlined self-assigned this Apr 2, 2026
@zredlined zredlined requested a review from a team as a code owner April 2, 2026 20:32
zredlined added 5 commits April 3, 2026 21:40
@zredlined
feat(prover): add native Rust policy prover with Z3 solver
8eb6033 
Add openshell-prover crate implementing formal policy verification
using Z3 SMT solving. Answers two questions about any sandbox policy:
"Can data leave?" and "Can the agent write despite read-only intent?"

Native Rust — no Python subprocess, no PYTHONPATH, no uv dependency.
Z3 bundled via z3-sys for self-contained builds.

Replaces the Python prototype from #703.

Closes #699

Signed-off-by: Alexander Watson <zredlined@gmail.com>
@zredlined
fix(prover): skip L7-write in exfil, write bypass only on read-only i…
0966414 
…ntent

Port two fixes from the Python branch:
- Exfil query skips endpoints where L7 is enforced and working
- Write bypass only fires on explicit read-only intent, not L4-only

Signed-off-by: Alexander Watson <zredlined@gmail.com>
@zredlined
chore(prover): add missing SPDX license headers to registry and testd…
8585d20 
…ata YAML files
@zredlined
fix(prover): revert serde_yaml to serde_yml to match workspace depend…
f093560 
…ency on main
@zredlined
fix(prover): apply cargo fmt formatting to prover and cli source files
f8a78cf
@zredlined zredlined force-pushed the feat/699-policy-prover-rust/zredlined branch from 89af989 to f8a78cf Compare April 4, 2026 04:40
@zredlined
Copy link
Copy Markdown
Collaborator Author

zredlined commented Apr 4, 2026

@NVIDIA/openshell-codeowners The Rust checks for PR #741 are failing because z3-sys needs libclang for bindgen, and our ghcr.io/nvidia/openshell/ci:latest image doesn’t include it. I can patch branch-checks.yml to install clang/libclang-dev in the Rust jobs for an immediate unblock, but I think we should also update deploy/docker/Dockerfile.ci and republish the CI image as the proper fix. Do folks prefer the workflow-level unblock first, or do we want to fix the CI image before rerunning checks?

@johntmyers
Copy link
Copy Markdown
Collaborator

johntmyers commented Apr 7, 2026

@NVIDIA/openshell-codeowners The Rust checks for PR #741 are failing because z3-sys needs libclang for bindgen, and our ghcr.io/nvidia/openshell/ci:latest image doesn’t include it. I can patch branch-checks.yml to install clang/libclang-dev in the Rust jobs for an immediate unblock, but I think we should also update deploy/docker/Dockerfile.ci and republish the CI image as the proper fix. Do folks prefer the workflow-level unblock first, or do we want to fix the CI image before rerunning checks?

I'd make sure it's in the image.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@zredlined zredlined

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Add formal policy verification (OpenShell Policy Prover) to Python SDK

2 participants

@zredlined @johntmyers